Honeypots have proven to be an effective tool to capture computer intrusions (or malware infections) and analyze their exploitation techniques. However, forensic analysis of compromised honeypots is largely an ad-hoc and manual process. In this paper, the authors propose Timescope, a system that applies and extends recent advances in deterministic record and replay to high-interaction honeypots for extensible, fine-grained forensic analysis. In particular, they propose and implement a number of systematic analysis modules in Timescope, including contamination graph generator, transient evidence recoverer, shellcode extractor and break-in reconstructor, to facilitate honeypot forensics.